Google has just made a new phishing exploit more difficult to fall for. Previously, employees were inadvertently clicking on malicious links and texts.

When Google adopted a new collaboration feature, the company couldn’t foresee how hackers might manipulate it to support nefarious intentions.

What happened?

Google’s suite of productivity tools has been around for a while and the company continually evolves the suite’s icons, features and functions. The addition of the @mentions feature was meant serve as a useful upgrade for everyday users.

What is @mentions?

@mentions lets users request comments on a document from a specific colleague. It also automatically triggers an email to the intended workspace collaborator. However, hackers managed to manipulate this tool in order to send malicious links and texts.

Avanan’s findings

According to cyber security researchers with Avanan, a Check Point company, the main issue centered around how the automatic email appeared on employees’ screens.

The email didn’t show the sender’s email address; only the sender’s name. As a result, cyber phishers could launch attacks by impersonating someone who the recipient knew and trusted.

Google’s response

To mitigate the issue, Google now includes the email address of the person who @mentioned someone, making the @mention more credible looking.

“When someone mentions you in a comment in a Google Workspace document, we send you an email notification with the comment and commenter’s name. With this update, we are adding the commenter’s email address to the email notification,” Google announced on its Google Workplace updates blog.


With the change, the tech giant intends for user to feel more confident in opening Docs and clicking on links.

According to Google, the change will assist both Google Workspace users and Microsoft’s Outlook users. The majority of nefarious, auto-generated content was delivered to Outlook-based employees. Because Google is considered a trusted source, this malicious content commonly evaded Outlook’s email filters.

Update available

The corresponding Workspace update is available for all Workspace customers, legacy G-suite Basic and Business customers, and for those who maintain personal Google accounts.

According to reports, the update will also help users guard against data theft and information leaks. Workspace admins will be able to view events in Drive audit logs for their organization and for external organizations. Drive audit logs include material that users generate in Google Docs, Sheets and Slides.

Google has supplied a support page for the feature, which states that: “Some events involve domains outside your own; for example, when a user copies a file to another domain. Some of these events are reported in the Drive audit logs of both your domain and the external domain. Names of external documents are not included in audit log entries.”

Related info

In the past few days, Google impersonation emails have increased, according to the company. Take care to avoid suspicious emails that leverage Google Forms and Google’s corresponding response receipts. If you receive a Google Form that you did not request, you can report it to Google via the “report abuse” button at the foot of the form.

Get impactful phishing stories and get your leadership on board with your phishing prevention strategies. Learn more here. Discover additional phishing related insights throughout this week during #Phishingweek2022 – Feb 28th through March 4th